Details

All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue.

When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ.

This is only possible after authentication with a trusted certificate.

talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process.

There is no further vulnerability associated with this issue, merely a denial of service.

During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process.

There is no further vulnerability associated with this issue, merely a denial of service.

This is a security release in order to address the following defects:

Details

All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.

There is no known vulnerability associated with this error, merely a denial of service. If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection.

On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users.

Possible workarounds are described at a dedicated page in the Samba wiki:

Samba 4.7.5

Release Notes for Samba 4.7.5

February 7, 2018

This is the latest stable release of the Samba 4.7 release series.

Major enhancements include:

BUG #13228: This is a major issue in Samba's ActiveDirectory domain controller code. It might happen that AD objects have missing or broken linked attributes. This could lead to broken group memberships e.g. All Samba AD domain controllers set up with Samba 4.6 or lower and then upgraded to 4.7 are affected. The corrupt database can be fixed with 'samba-tool dbcheck --cross-ncs --fix'.

Samba 4.7.4

This is the latest stable release of the Samba 4.7 release series.

smbclient reparse point symlink parameters reversed

A bug in smbclient caused the 'symlink' command to reverse the meaning of the new name and link target parameters when creating a reparse point symlink against a Windows server.

This only affects using the smbclient 'symlink' command against a Windows server, not a Samba server using the UNIX extensions (the parameter order is correct in that case) so no existing user scripts that depend on creating symlinks on Samba servers need to change.

As this is a little used feature the ordering of these parameters has been reversed to match the parameter ordering of the UNIX extensions 'symlink' command. This means running 'symlink' against both Windows and Samba now uses the same paramter ordering in both cases.

The usage message for this command has also been improved to remove confusion.

This is a security release

Details

All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server.

All versions of Samba from 3.6.0 onwards are vulnerable to a heap memory information leak, where server allocated heap memory may be returned to the client without being cleared.

There is no known vulnerability associated with this error, but uncleared heap memory may contain previously used data that may help an attacker compromise the server via other methods. Uncleared heap memory may potentially contain password hashes or other high-value data.

Samba 4.7.0

Release Notes for Samba 4.7.0

September 20, 2017

Release Announcements

This is the first stable release of Samba 4.7.

Please read the release notes carefully before upgrading.

UPGRADING

smbclient changes

'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]' banner when connecting to the first server. With SMB2 and Kerberos there's no way to print this information reliable. Now we avoid it at all consistently. In interactive session the following banner is now presented to the user: 'Try "help" do get a list of possible commands.'.

The default for "client max protocol" has changed to "SMB3_11", which means that 'smbclient' (and related commands) will work against
servers without SMB1 support.

It's possible to use the '-m/--max-protocol' option to overwrite the "client max protocol" option temporarily.

Note that the '-e/--encrypt' option also works with most SMB3 servers (e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions are not required for encryption.

The change to SMB3_11 as default also means smbclient no longer negotiates SMB1 unix extensions by default, when talking to a Samba server with "unix extensions = yes". As a result, some commands are not available, e.g. 'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink', posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenabled them, if the server supports SMB1.

Note: the default ("CORE") for "client min protocol" hasn't changed, so it's still possible to connect to SMB1-only servers by default.

'smbclient' learned a new command 'deltree' that is able to do a recursive deletion of a directory tree.

NEW FEATURES/CHANGES

Whole DB read locks: Improved LDAP and replication consistency

Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba erroneously did not take whole-DB read locks to protect search and DRS replication operations.

While each object returned remained subject to a record-level lock (so would remain consistent to itself), under a race condition with a rename or delete, it and any links (like the member attribute) to it would not be returned.

The symptoms of this issue include:

Replication failures with this error showing in the client side logs:

error during DRS repl ADD: No objectClass found in replPropertyMetaData for Failed to commit objects:

WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

A crash of the server, in particular the rpc_server process with

INTERNAL ERROR: Signal 11

LDAP read inconsistency

A DN subject to a search at the same time as it is being renamed may not appear under either the old or new name, but will re-appear for a subsequent search.

See BUG #12858 for more details and updated advise on database recovery for affected installations.

Samba AD with MIT Kerberos

After four years of development, Samba finally supports compiling and running Samba AD with MIT Kerberos. You can enable it with:

./configure --with-system-mitkrb5

Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support. The krb5-devel and krb5-server packages are required. The feature set is not on par with with the Heimdal build but the most important things, like forest and external trusts, are working. Samba uses the KDC binary provided by MIT Kerberos.

Missing features, compared to Heimdal, are:

PKINIT support

S4U2SELF/S4U2PROXY support

RODC support (not fully working with Heimdal either)

The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a correct kdc.conf file for the MIT KDC.

Dynamic RPC port range

The dynamic port range for RPC services has been changed from the old default value "1024-1300" to "49152-65535". This port range is not only used by a Samba AD DC but also applies to all other server roles including NT4-style domain controllers. The new value has been defined by Microsoft in Windows Server 2008 and newer versions. To make it easier for Administrators to control those port ranges we use the same default and make it configurable with the option: "rpc server dynamic port range".

The "rpc server port" option sets the first available port from the new "rpc server dynamic port range" option. The option "rpc server port" only applies to Samba provisioned as an AD DC.

Authentication and Authorization audit support

Detailed authentication and authorization audit information is now logged to Samba's debug logs under the "auth_audit" debug class, including in particular the client IP address triggering the audit line. Additionally, if Samba is compiled against the jansson JSON library, a JSON representation is logged under the "auth_json_audit" debug class.

Audit support is comprehensive for all authentication and authorisation of user accounts in the Samba Active Directory Domain Controller, as well as the implicit authentication in password changes. In the file server and classic/NT4 domain controller, NTLM authentication, SMB and RPC authorization is covered, however password changes are not at this stage, and this support is not currently backed by a testsuite.

Multi-process LDAP Server

The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process, rather than being forced into a single process. This aids in Samba's ability to scale to larger numbers of AD clients and the AD DC's overall resiliency, but will mean that there is a fork()ed child for every LDAP client, which may be more resource intensive in some situations. If you run Samba in a resource-constrained VM, consider allocating more RAM and swap space.

Improved Read-Only Domain Controller (RODC) Support

Support for RODCs in Samba AD until now has been experimental. With this latest version, many of the critical bugs have been fixed and the RODC can be used in DC environments requiring no writable behaviour. RODCs now correctly support bad password lockouts and password disclosure auditing through the msDS-RevealedUsers attribute.

The fixes made to the RWDC will also allow Windows RODC to function more correctly and to avoid strange data omissions such as failures to replicate groups or updated passwords. Password changes are currently rejected at the RODC, although referrals should be given over LDAP. While any bad passwords can trigger domain-wide lockout, good passwords which have not been replicated yet for a password change can only be used via NTLM on the RODC (and not Kerberos).

The reliability of RODCs locating a writable partner still requires some improvements and so the 'password server' configuration option is generally recommended on the RODC.

Samba 4.7 is the first Samba release to be secure as an RODC or when hosting an RODC. If you have been using earlier Samba versions to host or be an RODC, please upgrade.

Additional password hashes stored in supplementalCredentials

A new config option 'password hash userPassword schemes' has been added to enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext password with reversible encryption). This builds upon previous work to improve password sync for the AD DC (originally using GPG).

The user command of 'samba-tool' has been updated in order to be able to extract these additional hashes, as well as extracting the (HTTP) WDigest hashes that we had also been storing in supplementalCredentials.

Improvements to DNS during Active Directory domain join

The 'samba-tool' domain join command will now add the A and GUID DNS records (on both the local and remote servers) during a join if possible via RPC. This should allow replication to proceed more smoothly post-join.

The mname element of the SOA record will now also be dynamically generated to point to the local read-write server. 'samba_dnsupdate' should now be more reliable as it will now find the appropriate name server even when resolv.conf points to a forwarder.

Significant AD performance and replication improvements

Previously, replication of group memberships was been an incredibly expensive process for the AD DC. This was mostly due to unnecessary CPU time being spent parsing member linked attributes. The database now stores these linked attributes in sorted form to perform efficient searches for existing members. In domains with a large number of group memberships, a join can now be completed in half the time compared with Samba 4.6.

LDAP search performance has also improved, particularly in the unindexed search case. Parsing and processing of security descriptors should now be more efficient, improving replication but also overall performance.

Query record for open file or directory

The record attached to an open file or directory in Samba can be queried through the 'net tdb locking' command. In clustered Samba this can be useful to determine the file or directory triggering corresponding "hot" record warnings in ctdb.

Removal of lpcfg_register_defaults_hook()

The undocumented and unsupported function lpcfg_register_defaults_hook() that was used by external projects to call into Samba and modify smb.conf default parameter settings has been removed. If your project was using this call please raise the issue on samba-technical@lists.samba.org in order to design a supported way of obtaining the same functionality.

Change of loadable module interface

The _init function of all loadable modules in Samba has changed from:

NTSTATUS _init(void);

to:

NTSTATUS _init(TALLOC_CTX *);

This allows a program loading a module to pass in a long-lived talloc context (which must be guaranteed to be alive for the lifetime of the module). This allows modules to avoid use of the talloc_autofree_context() (which is inherently thread-unsafe) and still be valgrind-clean on exit. Modules that don't need to free long-lived data on exit should use the NULL talloc context.

Parameter changes

The "strict sync" global parameter has been changed from a default of "no" to "yes". This means smbd will by default obey client requests to synchronize unwritten data in operating system buffers safely onto disk. This is a safer default setting for modern SMB1/2/3 clients.

The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting the previous behaviour. Two new values have been provided, 'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1) and 'disabled', totally disabling NTLM authentication and password changes.

SHA256 LDAPS Certificates

The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature.

Replacing this certificate with a certificate signed by a trusted CA is still highly recommended.

CTDB changes

CTDB now ignores hints from Samba about TDB flags when attaching to databases

CTDB will use the correct flags depending on the type of database. For clustered databases, the smb.conf setting dbwrap_tdb_mutexes:*=true will be ignored. Instead, CTDB continues to use the TDBMutexEnabled tunable.

New configuration variable CTDB_NFS_CHECKS_DIR

See ctdbd.conf(5) for more details.

The CTDB_SERVICE_AUTOSTARTSTOP configuration variable has been removed

To continue to manage/unmanage services while CTDB is running:

Start service by hand and then flag it as managed

Mark service as unmanaged and shut it down by hand

In some cases CTDB does something fancy - e.g. start Samba under "nice", so care is needed. One technique is to disable the eventscript, mark as managed, run the startup event by hand and then re-enable the eventscript.

The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed

The example NFS Ganesha call-out has been improved

A new "replicated" database type is available

Replicated databases are intended for CTDB's internal use to replicate state data across the cluster, but may find other uses. The data in replicated databases is valid for the lifetime of CTDB and cleared on first attach.

Using x86_64 Accelerated AES Crypto Instructions

Samba on x86_64 can now be configured to use the Intel accelerated AES instruction set, which has the potential to make SMB3 signing and encryption much faster on client and server. To enable this, configure Samba using the new option --accel-aes=intelaesni.

This is a temporary solution that is being included to allow users to enjoy the benefits of Intel accelerated AES on the x86_64 platform, but the longer-term solution will be to move Samba to a fully supported external crypto library.

The third_party/aesni-intel code will be removed from Samba as soon as external crypto library performance reaches parity.

The default is to build without setting --accel-aes, which uses the existing Samba software AES implementation.